Official TEKConn Blog

3 lessons from 2018’s biggest healthcare data breaches

Protecting sensitive patient data should be a top priority for the healthcare community this year.

Protecting sensitive patient data should be a top priority for the healthcare community this year.

Despite the best efforts of the medical community, the number of healthcare data breaches continues to climb. In 2018, the total number of exposed medical records more than doubled over the previous year, totaling roughly 13.2 million compromised files, according to HIPAA Journal.

Thanks to the landmark Anthem breach, 2015 still holds the records when it comes to average healthcare data breach size and exposed medical records, but 2018 had its share of major incidents. Given how quickly cybercriminals update their tactics to counter the latest data security tools, healthcare organizations need to stay on their toes and learn from past mistakes.

There are plenty of healthcare data breaches from the past year to use as educational opportunities, but these three, in particular, can teach us all important lessons about healthcare data security:

1. Watch your vendors – Atrium Health

You can have the most ironclad data security measures in place, but if your vendors and business partners don't adhere to the same standards, your network and database could be at risk.

No one understands this better than Atrium Health, which fell victim to the largest data breach of 2018 that impacted more than 2.6 million patients when it was all said and done. Hackers gained access to patients' medical records by going through Atrium Health's billing vendor, AccuDoc Solutions. Although the culprits were not able to extract any data, they were able to view sensitive patient information for a week before being discovered.

The lesson here? Keep an eye on your vendors and insist that they abide by the same stringent data security practices your organization follows.

Your vendor's data security deficiencies could put your organization at risk.
Your vendor's data security deficiencies could put your organization at risk.

2. The classics still work – UnityPoint Health

Any cybersecurity outlook or prognostication will warn of cutting-edge data breach tactics, sophisticated malware strains and innovative cybercriminals. As scary as AI-enabled malware sounds, you should probably be more afraid of threats that have been around for years.

Case in point: Phishing attacks were still going strong in 2018. Just ask UnityPoint Health, which found itself on the receiving of not one, but two phishing attacks last year. Once the dust settled, more than 1.4 million patients in the Iowa-based healthcare network were affected by these two breaches.

As long as organizations keep falling for old tricks, cybercriminals will continue to take advantage of them and infiltrate healthcare networks and systems.

3. Mind your employees – UnityPoint Health (again), CNO Financial Group

Why was UnityPoint Health's data breach so successful? Because the culprits preyed on the staff's poor security hygiene. All it took was one employee to fall for the phishing attack to compromise the UnityPoint's entire ecosystem.

"Your employees are your first line of defense."

With more sophisticated and targeted phishing techniques, data thieves can fool unsuspecting victims and trick them into clicking on malicious links. That means healthcare organizations need to be more diligent than ever about training staff members on cybersecurity best practices and, in particular, how to spot malicious emails and links.

Employees must also be more mindful about their account credentials and only use login information that would be extremely to guess or crack with the aid of brute-force tools. Health insurance provider, CNO Financial Group fell victim to a data breach last year after malicious actors gained access to login credentials belonging to multiple employees.

Using those accounts as their entry point, the culprits were able to steal a wide variety of sensitive policyholder information, including Social Security numbers, healthcare records and personal data. Approximately 566,000 customers and applicants had their information stolen during the course of this months-long attack.

In many cases, your employees are your first line of defense against costly healthcare data breaches, so be sure to educate them accordingly on best practices.

To prepare your organization for the latest healthcare data security challenges, contact New York's best managed IT services provider, TEKConn, today.